We Need to Think Beyond the Aaron in ‘Aaron’s Law’

The Computer Fraud and Abuse Act (CFAA)’s disproportionate penalties and lack of nuance played a role in Aaron Swartz’ prosecution and likely in his subsequent suicide. So three weeks ago, California Representative Zoe Lofgren introduced “Aaron’s Law” to update the CFAA.

Lofgren modified Aaron’s Law based on community feedback and released the updated version this past Friday. The Electronic Frontier Foundation has also proposed much-needed changes to CFAA’s penalty provisions. The law has yet to go before Congress, but these efforts matter.

But as we consider further ways to improve the CFAA, it’s important to keep in mind the less sympathetic young people who will inevitably violate this law. It’s tempting to focus on the CFAA’s treatment of hackers who fight political oppression or want to free information, but we can’t ignore the less sympathetic cases: the talented, angry, isolated, vulnerable, and often at-risk ones.

These kids — though not all of them are minors — deface websites, wage denial-of-service attacks, and engage in the online equivalents of petty crime. Their transgressions may not be high-minded or altruistic, but they too are entitled to justice. How do we explain to a young person who hacked their school’s website that they might be imprisoned for five years? Yet if they had physically destroyed the web server with a hammer, they would have faced no more than one year. This equation does not reflect the values of our society.

The misalignment of values and law not only leads to unjust prosecutions and unjust penalties, it also fails to create deterrents. Swartz’ prosecutors clearly intended to send a message, yet the message being received by the next generation of internet pioneers is that when it comes to technology, the law is arbitrary.

Micah Schaffer

Micah Schaffer is a technology policy consultant in San Francisco, California who campaigned as a youth for the balanced treatment of hackers in the public sphere. Schaffer was an early employee of YouTube, where he was responsible for policy creation and enforcement — including working extensively with law enforcement to protect child safety.

As a teenager, I attended one of computer hacker Kevin Mitnick‘s pre-trial hearings. He was experiencing what would become four and a half years of pre-trial detention, repeatedly waiving his constitutional right to a speedy trial because the prosecution refused to provide access to the evidence (a tactic also employed against Swartz, who had been waiting nearly two years).

If prosecutors were trying to send a message, my friends and I were the exact audience it was intended for. However, we understood the evidence and found the allegations of harm to be absurdly exaggerated. My conclusion at the time was that it didn’t actually matter what he had done. It wasn’t that I thought Mitnick was innocent. (He wasn’t.) It was that I — and my peers — recognized he was being denied due process of law.

The lesson we drew was that when it came to technology, the criminal justice system was divorced from reality. Judges appeared to be ignorant and easily manipulated by fear. Actual evidence seemed irrelevant compared to the whims and career ambitions of prosecutors.

Despite this budding cynicism, I focused my energy on activism and advocacy rather than delinquency. Because I, like Swartz, had benefited from a stable, comfortable upbringing — with access to mentors and opportunities. I grew up, and I’ve now had the privilege of working alongside former computer-crime prosecutors in the private sector — all of whom were inspiring, principled colleagues.

I was once working for a company that experienced a sudden wave of high-profile user accounts being hacked; the attacker was adding spam links to posts, making money off each click. Although those spam links had garnered less than $100 at that point, each compromised account was considered a felony violation of the Computer Fraud and Abuse Act.

As part of our investigation into the security breaches, I contacted the company paying for the spam. While pursuing the information they provided, I found numerous other accounts and message board posts from the same person.

One post in particular indicated a deeply unhappy family situation.

The message being received by the next generation of internet pioneers is that when it comes to technology, the law is arbitrary.

We could have reported the crime to the FBI at any time, but we didn’t. Instead, I called the attacker on the phone: He turned out to be a very scared child.

He had a small, quivering voice. I identified myself and asked gently, did he know why I was calling? He did. We talked and he confirmed it had been a simple dictionary attack; he had written a script to retry passwords over and over until he found the right one. I was relieved to have confirmation as we had already implemented a fix earlier in the day.

It was surprising no one had done this to us sooner. I told him he was very bright, that many great software engineers had started out like him. But he needed to stay out of trouble if he wanted to grow up and become like them and that other people wouldn’t be so tolerant.

In exchange for a simple e-mail apology (with a copy of the script he wrote as proof), we considered the matter resolved.

Many such cases don’t warrant more than a lecture, but if prosecuted under the CFAA, defendants can face decades in prison and millions of dollars in fines. The threat of such a severe penalty also gives prosecutors too much power to coerce defendants into a plea bargain regardless of guilt.

This was true in Aaron Swartz’ case. According to a report in Massachusetts Lawyers Weekly, the district attorney’s office intended to admonish, not prosecute, Swartz. (After all, he probably did trespass into a closet at MIT.) His legal nightmare, however, only began when federal prosecutors took over the case. Prosecutorial discretion has an important role in our criminal justice system, yet the obscure, technical nature of computer crimes — combined with harsh sentencing guidelines — make the CFAA particularly vulnerable to abuse by overzealous prosecutors.

No one is saying we should decriminalize computer intrusion. But we must bring the CFAA in line with our country’s values of proportional sentencing and due process of law if we hope to instill a sense of legitimacy and faith in justice among digital natives. Otherwise, we will continue to radicalize and alienate the next generation of innovators — while failing to deter crime.